I just changed sys-net, sys-firewall and sys-usb to a debian-12-minimal clone, where I installed qubes-core-agent-networking, qubes-core-agent-dom0updates, qubes-core-agent-network-manager, qubes-usb-proxy, qubes-input-proxy-sender, libpam-systemd.
After that i just switched the templates of the three sys-* vms to the new created debian-12-minimal clone. I expected that something won’t work, but… everything works fine?
I just want reassurance that this is OK to do, and that I didn’t increase my attack surface instead of lowering it because I forgot to install or to configure something.
Also: can i change sys-net to a named disposable (i am using ethernet, no wlan) or could it be that some weird problems occur if I do that?
I am asking this because honestly, most of the times I did something I broke Qubes and had to debug it a few days until I got it to work again.
Edit:sys-net has only the clocksync-service, sys-firewall and sys-usb don’t have any services applied. Is this also correct?
It’s OK to use minimal templates. I’ve been doing so since version 4.1
I have three distinct templates, one for sys-net, one for sys-firewall and one for sys-usb.
Sys net includes cubes-core-agent-network, qubes-core-agent-dom0-updates, qubes-core-agent-network-manager, gnome-keyring and systemd-timesyncd
sys firewall includes qubes-core-agent-network and qubes-core-agent-dom0-updates only
sys-usb includes qubes-usb-proxy qubes-input-proxy-sender, policykit-1, libblockdev-crypto2 and eject.
I am not sure how truly necessary some of these are. But you can likely reduce your attack surface with three different “offshoots” of the minimal template. (Clone the original minimal-template to sys-net-tmpl, sys-firewall-tmpl, etc, and then install the packages truly needed by that sys-* qube.)
One subtle thing to look out for is to ensure these work as update proxies and time service qubes. in particular sys-net should be your clock qube (which is why I have installed systemd-timesyncd on it), your default net qube should be sys-firewall, dom0-update-proxy should be sys-net (unless you’re using whonix), and your update proxy (for VMs other than dom0) should also be sys-net … again, unless you’re using whonix. You should get update notifications and your clock should reset itself if the services are working correctly.
I’m sure I am forgetting something. (And I’m sure if I said something wrong someone here will correct me, and I would be glad of that.)
For sys-usb I essentially took what @unman did a couple of years ago and adapted it to the way I maintain my system (a hybrid of salt and scripts). Are there better alternatives to what I use in sys-usb? Probably. But I honestly have no idea what they might be. It does work.
systemd-timesync I have no idea when I added that but I assume it has something to do with that qube being my time qube.
Also I cannot recommend strongly enough keeping a full template around. as @neoniobium said. I was staying at a hotel that was in a mobile data dead zone, and had no choice but to use their “free wifi” but the problem was I simply couldn’t get it to work.
It turned out that it was one of those craptastic systems where you have to load their craptastic webpage (marketing induced, apparently some hotel marketeers don’t understand that you don’t spend your entire life in hotels) to then be able to enter the password. And that meant I couldn’t use it without a browser in sys-net. And of course I couldn’t install a browser without access. Fortunately I had a (full) debian-12 template around; I just based sys-net on it instead of sys-net-tmpl, and no more problems using their system.